From bed8a68d2805a68096eff3d1c3c94068eda9baa2 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 17 Dec 2020 00:41:23 +0000
Subject: [PATCH] Exclude broken algorithms from the list of secure algorithms

---
 java/ql/src/semmle/code/java/security/Encryption.qll          | 4 ++--
 java/ql/test/library-tests/Encryption/Test.java               | 1 -
 java/ql/test/library-tests/Encryption/cryptoalgospec.expected | 4 ++--
 java/ql/test/library-tests/Encryption/secure.expected         | 4 ++--
 4 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll
index 38e7b16c9f0..dea253b1a00 100644
--- a/java/ql/src/semmle/code/java/security/Encryption.qll
+++ b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -99,7 +99,7 @@ string getAnInsecureAlgorithmName() {
   result = "RC5" or
   result = "ARCFOUR" or // a variant of RC4
   result = "ECB" or // encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks
-  result = "AES/CBC/PKCS5Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
+  result = "AES/CBC/PKCS[5|7]Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
 }
 
 /**
@@ -141,7 +141,7 @@ string getASecureAlgorithmName() {
   result = "SHA512" or
   result = "CCM" or
   result = "GCM" or
-  result = "AES" or
+  result = "AES([^a-zA-Z](?!ECB|CBC/PKCS[5|7]Padding)).*" or
   result = "Blowfish" or
   result = "ECIES"
 }
diff --git a/java/ql/test/library-tests/Encryption/Test.java b/java/ql/test/library-tests/Encryption/Test.java
index e010eaf5849..613476292ef 100644
--- a/java/ql/test/library-tests/Encryption/Test.java
+++ b/java/ql/test/library-tests/Encryption/Test.java
@@ -14,7 +14,6 @@ class Test {
 			"AES/ECB/NoPadding",
 			"AES/CBC/PKCS5Padding");
 
-
 	List<String> goodStrings = Arrays.asList(
 			"AES",
 			"AES_function",
diff --git a/java/ql/test/library-tests/Encryption/cryptoalgospec.expected b/java/ql/test/library-tests/Encryption/cryptoalgospec.expected
index f9564b1df25..f066e6a0b0b 100644
--- a/java/ql/test/library-tests/Encryption/cryptoalgospec.expected
+++ b/java/ql/test/library-tests/Encryption/cryptoalgospec.expected
@@ -1,2 +1,2 @@
-| Test.java:35:4:35:17 | super(...) | Test.java:35:10:35:15 | "some" |
-| Test.java:39:3:39:38 | getInstance(...) | Test.java:39:29:39:37 | "another" |
+| Test.java:37:4:37:17 | super(...) | Test.java:37:10:37:15 | "some" |
+| Test.java:41:3:41:38 | getInstance(...) | Test.java:41:29:41:37 | "another" |
diff --git a/java/ql/test/library-tests/Encryption/secure.expected b/java/ql/test/library-tests/Encryption/secure.expected
index f1b206d7205..a305f4ae778 100644
--- a/java/ql/test/library-tests/Encryption/secure.expected
+++ b/java/ql/test/library-tests/Encryption/secure.expected
@@ -1,2 +1,2 @@
-| Test.java:16:4:16:8 | "AES" |
-| Test.java:17:4:17:17 | "AES_function" |
+| Test.java:18:4:18:8 | "AES" |
+| Test.java:19:4:19:17 | "AES_function" |